Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
310
Views
2
Helpful
4
Replies

How to authorize in cisco AnyConnect

Go to solution
michaelgebreegziabher21778
Level 1
Level 1

ā€Ž05-07-2024 05:13 AM

Our remote workers utilize RAVPN  by installing AnyConnect software on their work machines. To distinguish users based on their groups, I employ Group Policy. While the authentication process is functioning correctly, an issue arises where any authorized user can access VPN profiles belonging to other groups. We have configured AD on the authentication server.

How can I configure the AD and FMC to ensure that users are authenticated solely based on their respective groups, thereby isolating them from accessing VPN profiles outside of their designated groups?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

ā€Ž05-07-2024 07:20 AM

You can assign group-policy with LDAP attribute maps when users are authenticated to AD via LDAP. For this you can use memberOf LDAP attribute or some other attribute in LDAP schema:

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

memberOf attribute is ok if a user belongs to a single AD group for mapping purposes, otherwise the mapping can lead to unexpected results.

 

View solution in original post

4 Replies 4

Go to solution
tvotna
Spotlight
Spotlight

ā€Ž05-07-2024 07:20 AM

You can assign group-policy with LDAP attribute maps when users are authenticated to AD via LDAP. For this you can use memberOf LDAP attribute or some other attribute in LDAP schema:

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

memberOf attribute is ok if a user belongs to a single AD group for mapping purposes, otherwise the mapping can lead to unexpected results.

 

Go to solution
michaelgebreegziabher21778
Level 1
Level 1
In response to tvotna

ā€Ž05-09-2024 03:21 AM

Thank you, it was effective for me based on the URL. I work for the LDAP attribute maps on the Authorization, and it worked.

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to MHM Cisco World

ā€Ž05-08-2024 12:56 AM

DAP is unnecessary to achieve this goal.

 

0 Helpful
Customers Also Viewed These Support Documents